From CCIE Study Wiki

Virtual Router Redundancy Protocol or (VRRP) is a first-hop redundancy feature in a group of routers to provide transparent fail-over capabilities to a LAN.

Theory

VRRP allows for a group of routers to provide redundancy for a LAN environment. One router, the virtual router master, will have the IP address of their LAN interface used as the virtual ip address. Client machines will be configured with this IP as their default router.

The other routers in the VRRP group are virtual router backups. If the master router fails, the backup router configured with the higher priority will become the virtual router master and provide forwarding service for the LAN clients. When the master recovers, it resumes the role of master and starts forwarding packets off of the LAN.

Up to 255 VRRP groups can be configured on an interface. The priority value for backup routers can be configured anywhere from 1 to 254 - the highest value priority will be the backup router that takes over for the master. If priorities for a backup are equal, the router with the highest IP address will take over the traffic forwarding. VRRP priorities can be manipulated through Object Tracking.

Preemption is enabled by default with VRRP. If a backup router is forwarding traffic off of the LAN and another backup router comes online with a higher priority, it will assume the role of the forwarder of traffic. The master router, when online, will always be the forwarder off of the network (the master has a priority of 255 which will always win). Preemption is between backup routers only.

The master communicates with the other VRRP routers through VRRP advertisements. They are sent every second by default.

VRRP supports authentication to protect it from DOS attacks. Authentication options include text, MD5 key-string, or MD5 key-chain.

Commands

• vrrp group ip ip-address [secondary] (interface) - Enables VRRP on an interface.
• vrrp group shutdown (interface) - Disables VRRP on the interface without removing the config.
• vrrp group priority priority (interface) - Specifies the priority for a backup router
• vrrp group preempt [delay minimum seconds] (interface) - Specifies the delay period a router should wait before preempting another one. Useful to prevent VRRP flapping behavior.
• vrrp group timers advertise [msec] interval (interface) - Command to change the advertisement interval
• vrrp group timers learn (interface) - This command is configured on a backup router and tells it to learn the advertisement interval from the master.
• vrrp group authentication md5 key-string [0 | 7] key-string [timeout seconds] (interface) - Configures MD5 key-string authentication.
• vrrp group authentication md5 key-chain key-chain (interface) - Configures MD5 key-chain authentication
• vrrp group authentication text text-string (interface) - Enables clear-text authentication

Default Settings

• Preemption is on by default
• Advertisements sent every second
• Default priority is 100
• No preemption delay

Verification

• show vrrp [brief | group] - Shows info about all or the listed VRRP groups
• show vrrp interface type number [brief] - Displays info about VRRP groups on the specified interface.
• debug vrrp authentication - Confirms authentication configured on both routers, and that the key-strings or key-chains match.

Troubleshooting, Tips, and Tricks

• You can adjust the timing of the preempt command via the delay parameter on that command.

Online Resources

• Cisco IOS IP application configuration guide on configuring VRRP.

• Cisco Learning Module presentation on configuring layer 3 redundancy with VRRP and GLBP (must be registered to view).

• Cisco feature guide on VRRP object tracking.

• CCIE To Be shows how to configure VRRP to track the metric of a route.

• Configuring VRRP from CCIE the Beginning.

• Jeremy Stretch of Packetlife.net shares a very useful first-hop redundancy cheatsheet.

• SLA monitoring with VRRP from CCIE to Be.

Have something to contribute? See a mistake on this page? Have a hint or a link to share?
The CCIE Study Wiki is open to everyone to edit! All you need to do is to create an account to start contributing.
Please be sure to follow our posting guidelines when editing the wiki.

Maybe you have just have some thoughts or suggestions for this entry?
Use the Discussion link on the top or bottom menu to create or join the CCIE forum post on this topic.
You can also go straight to the CCIE Forums and start a new discussion in the forum of your choice.

If you'd rather just contact us with your thoughts, we'd love to hear what you have to say.